ies and cybercriminal groups.?

TechCrunch reports that Coruna is definitely of US origin:

    Two former employees of government contractor L3Harris told TechCrunch that
Coruna was, at least in part, developed by the company?s hacking and
surveillance tech division, Trenchant. The two former employees both had
knowledge of the company?s iPhone hacking tools. Both spoke on condition of
anonymity because they weren?t authorized to talk about their work for the
company.

It?s always super interesting to see what malware looks like when it?s created
through a professional software development process. And the TechCrunch article
has some speculation as to how the US lost control of it. It seems that an
employee of L3Harris?s surviellance tech division, Trenchant, sold it to the
Russian government.

** *** ***** ******* *********** *************
US Bans All Foreign-Made Consumer Routers

[2026.04.02] This is for new routers; you don?t have to throw away your existing
ones:

    The Executive Branch determination noted that foreign-produced routers (1)
introduce ?a supply chain vulnerability that could disrupt the U.S. economy,
critical infrastructure, and national defense? and (2) pose ?a severe
cybersecurity risk that could be leveraged to immediately and severely disrupt
U.S. critical infrastructure and directly harm U.S. persons.?

More information:

    Any new router made outside the US will now need to be approved by the FCC
before it can be imported, marketed, or sold in the country.

    In order to get that approval, companies manufacturing routers outside the
US must apply for conditional approval in a process that will require the
disclosure of the firm?s foreign investors or influence, as well as a plan to
bring the manufacturing of the routers to the US.

    Certain routers may be exempted from the list if they are deemed acceptable
by the Department of Defense or the Department of Homeland Security, the FCC
said. Neither agency has yet added any specific routers to its list of equipment
exceptions.

    [...]

    Popular brands of router in the US include Netgear, a US company, which
manufactures all of its products abroad.

    One exception to the general absence of US-made routers is the newer
Starlink WiFi router. Starlink is part of Elon Musk?s company SpaceX.

Presumably US companies will start making home routers, if they think this
policy is stable enough to plan around. But they will be more expensive than
routers made in China or Taiwan. Security is never free, but policy determines
who pays for it.

** *** ***** ******* *********** *************
Company that Secretly Records and Publishes Zoom Meetings

[2026.04.03] WebinarTV searches the internet for public Zoom invites, joins the
meetings, secretly records them, and publishes (alternate link) the recordings.
It doesn?t use the Zoom record feature, so Zoom can?t do anything about it.

EDITED TO ADD (4/13): 404 Media has a follow-on article.

** *** ***** ******* *********** *************
Google Wants to Transition to Post-Quantum Cryptography by 2029

[2026.04.06] Google says that it will fully transition to post-quantum
cryptography by 2029. I think this is a good move, not because I think we will
have a useful quantum computer anywhere near that year, but because
crypto-agility is always a good thing.

Slashdot thread.

** *** ***** ******* *********** *************
New Mexico?s Meta Ruling and Encryption

[2026.04.06] Mike Masnick points out that the recent New Mexico court ruling
against Meta has some bad implications for end-to-end encryption, and security
in general:

    If the ?design choices create liability? framework seems worrying in the
abstract, the New Mexico case provides a concrete example of where it leads in
practice.

    One of the key pieces of evidence the New Mexico attorney general used
against Meta was the company?s 2023 decision to add end-to-end encryption to
Facebook Messenger. The argument went like this: predators used Messenger to
groom minors and exchange child sexual abuse material. By encrypting those
messages, Meta made it harder for law enforcement to access evidence of those
crimes. Therefore, the encryption was a design choice that enabled harm.

    The state is now seeking court-mandated changes including ?protecting minors
from encrypted communications that shield bad actors.?

    Yes, the end result of the New Mexico ruling might be that Meta is ordered
to make everyone?s communications less secure. That should be terrifying to
everyone. Even those cheering on the verdict.

    End-to-end encryption protects billions of people from surveillance, data
breaches, authoritarian governments, stalkers, and domestic abusers. It?s one of
the most important privacy and security tools ordinary people have. Every major
security expert and civil liberties organization in the world has argued for
stronger encryption, not weaker.

    But under the ?design liability? theory, implementing encryption becomes
evidence of negligence, because a small number of bad actors also use encrypted
communications. The logic applies to literally every communication tool ever
invented. Predators also use the postal service, telephones, and in-person
conversation. The encryption itself harms no one. Like infinite scroll and
autoplay, it is inert without the choices of bad actors - choices made by
people, not by the platform?s design.

    The incentive this creates goes far beyond encryption, and it?s bad. If any
product improvement that protects the majority of users can be held against you
because a tiny fraction of bad actors exploit it, companies will simply stop
making those improvements. Why add encryption if it becomes Exhibit A in a
future lawsuit? Why implement any privacy-protective feature if a plaintiff?s
lawyer will characterize it as ?shielding bad actors??

    And it gets worse. Some of the most damaging evidence in both trials came
from internal company documents where employees raised concerns about safety
risks and discussed tradeoffs. These were played up in the media (and the
courtroom) as ?smoking guns.? But that means no company is going to allow anyone
to raise concerns ever again. That?s very, very bad.

    In a sane legal environment, you want companies to have these internal
debates. You want engineers and safety teams to flag potential risks, wrestle
with difficult tradeoffs, and document their reasoning. But when those
good-faith deliberations become plaintiff?s exhibits presented to a jury as
proof that ?they knew and did it anyway,? the rational corporate response is to
stop putting anything in writing. Stop doing risk assessments. Stop asking hard
questions internally.

    The lesson every general counsel in Silicon Valley is learning right now:
ignorance is safer than inquiry. That makes everyone less safe, not more.

The essay has a lot more: about Section 230, about competition in this space,
about the myopic nature of the ruling. Go read it.

** *** ***** ******* *********** *************
Hong Kong Police Can Force You to Reveal Your En
--- FMail-lnx 2.3.2.6-B20251227
 * Origin: TCOB1 A Mail Only System (618:500/1)